@blamejs/core 0.8.38 → 0.8.39

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.
 
 - **0.8.37** (2026-05-08) — D-L family SQL/schema hygiene. **`_blamejs_audit_purge_anchor.scope` CHECK constraint** — `scope IN ('audit', 'consent')`. Pre-v0.8.37 a typo silently created a parallel anchor; the chain verifier walked the wrong anchor and missed tampering. **`personalDataCategories` vocabulary validation** — operator-supplied categories validated against the GDPR Article 9 special-category vocabulary + the framework's general categories at `db.init`. Unknown categories don't refuse (operators have legitimate custom labels) but emit a `db.personal_data_category_unknown` audit row so typos surface in regulator reviews. Allowed: `name`, `email`, `phone`, `address`, `ip`, `id-document`, `biometric`, `health`, `genetic`, `sexual-orientation`, `racial-or-ethnic-origin`, `political-opinion`, `religious-belief`, `trade-union-membership`, `criminal-record`, `financial`, `location`, `behavioral`, `device-id`, `child-data`, `education`, `employment`, `operator-defined`.

package/index.js

@@ -162,6 +162,7 @@ var auth = {
   acr:        require("./lib/auth/acr-vocabulary"),
   authTime:   require("./lib/auth/auth-time-tracker"),
   accessLock: require("./lib/auth/access-lock"),
+  atoKillSwitch: require("./lib/auth/ato-kill-switch"),
 };
 var template = require("./lib/template");
 var render = require("./lib/render");

package/lib/audit.js

@@ -247,6 +247,7 @@ var FRAMEWORK_NAMESPACES = [
   "fdx",        // b.fdx (fdx.bound / fdx.consent_receipt_issued)
   "tcpa10dlc",  // b.tcpa10dlc (tcpa10dlc.consent_recorded / consent_revoked)
   "iabmspa",    // b.iabMspa (iabmspa.processing_refused)
+  "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/ato-kill-switch.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * b.auth.atoKillSwitch — composite primitive for account-takeover
+ * incident response. Composes `b.session.destroyAllForUser` +
+ * `b.auth.lockout.lock` + (optionally) `b.auth.accessLock` mode flip
+ * into a single operator-callable workflow.
+ *
+ * Trigger conditions are operator territory (SOC alert, fraud signal,
+ * user self-report, IDS rule); this primitive is the deterministic
+ * cleanup path once the trigger fires:
+ *
+ *   1. destroy every session for the user across the cluster
+ *   2. lock the user out of new logins (b.auth.lockout)
+ *   3. emit an audit row with reason / actor for downstream forensics
+ *
+ *   await b.auth.atoKillSwitch.trigger({
+ *     userId:    "u_42",
+ *     reason:    "fraud-signal: 14 failed MFA from new geo",
+ *     actor:     { id: req.user && req.user.id, role: req.user && req.user.role },
+ *     lockout:   true,                  // default true
+ *     accessLock: "locked",             // optional — flip the global access-lock mode
+ *   });
+ *
+ * Returns `{ sessionsDestroyed, lockoutApplied, accessLockMode }`.
+ */
+
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var session = lazyRequire(function () { return require("../session"); });
+var lockout = lazyRequire(function () { return require("./lockout"); });
+var accessLock = lazyRequire(function () { return require("./access-lock"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+
+var AtoKillSwitchError = defineClass("AtoKillSwitchError", { alwaysPermanent: true });
+
+async function trigger(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "userId", "reason", "actor", "lockout", "accessLock",
+  ], "auth.atoKillSwitch.trigger");
+
+  validateOpts.requireNonEmptyString(opts.userId, "userId", AtoKillSwitchError, "auth-ato-kill-switch/missing-user-id");
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AtoKillSwitchError, "auth-ato-kill-switch/missing-reason");
+  var doLockout       = opts.lockout !== false;
+  var accessLockMode  = typeof opts.accessLock === "string" ? opts.accessLock : null;
+
+  var sessionsDestroyed = 0;
+  try {
+    sessionsDestroyed = await session().destroyAllForUser(opts.userId);
+  } catch (e) {
+    audit().safeEmit({
+      action: "auth.ato_kill_switch.partial",
+      outcome: "failure",
+      metadata: {
+        userId: opts.userId,
+        step:   "destroy-sessions",
+        reason: e && e.message,
+      },
+    });
+    throw e;
+  }
+
+  var lockoutApplied = false;
+  if (doLockout) {
+    try {
+      await lockout().lock(opts.userId, {
+        reason: "ato-kill-switch:" + opts.reason,
+      });
+      lockoutApplied = true;
+    } catch (_e) { /* lockout is best-effort; sessions already destroyed */ }
+  }
+
+  var modeApplied = null;
+  if (accessLockMode !== null) {
+    try {
+      var lock = accessLock();
+      if (lock && typeof lock.set === "function") {
+        await lock.set(accessLockMode, {
+          actor:  opts.actor || null,
+          reason: "ato-kill-switch:" + opts.reason,
+        });
+        modeApplied = accessLockMode;
+      }
+    } catch (_e) { /* operator may not have wired global accessLock; fine */ }
+  }
+
+  audit().safeEmit({
+    action: "auth.ato_kill_switch.triggered",
+    outcome: "success",
+    metadata: {
+      userId:             opts.userId,
+      reason:             opts.reason,
+      actor:              opts.actor || null,
+      sessionsDestroyed:  sessionsDestroyed,
+      lockoutApplied:     lockoutApplied,
+      accessLockMode:     modeApplied,
+    },
+  });
+
+  return {
+    sessionsDestroyed: sessionsDestroyed,
+    lockoutApplied:    lockoutApplied,
+    accessLockMode:    modeApplied,
+  };
+}
+
+module.exports = {
+  trigger:              trigger,
+  AtoKillSwitchError:   AtoKillSwitchError,
+};

package/lib/config-drift.js

@@ -292,10 +292,70 @@ function create(opts) {
   };
 }
 
+// verifyVendorIntegrity — at-boot integrity check over `lib/vendor/*`.
+// MANIFEST.json carries a sha256 digest per bundled file; we re-hash
+// each one and refuse on mismatch. Catches a half-applied vendor
+// refresh, a corrupted install, or an attacker who modified a
+// vendored cjs without updating the manifest. Returns
+// `{ ok, mismatches: [{ path, expected, actual }] }` and emits
+// `vendor.integrity.{verified,tampered}` audit on each call.
+function verifyVendorIntegrity(opts) {
+  opts = opts || {};
+  var libVendorDir  = opts.libVendorDir  || path.join(process.cwd(), "lib", "vendor");
+  var manifestPath  = opts.manifestPath  || path.join(libVendorDir, "MANIFEST.json");
+  var raw;
+  try { raw = fs.readFileSync(manifestPath, "utf8"); }
+  catch (_e) {
+    throw _err("VENDOR_MANIFEST_MISSING",
+      "vendor MANIFEST.json missing at " + manifestPath, true);
+  }
+  var manifest = safeJson.parse(raw);
+  if (!manifest || typeof manifest.packages !== "object") {
+    throw _err("VENDOR_MANIFEST_SHAPE",
+      "vendor MANIFEST.json missing `packages` map", true);
+  }
+  var mismatches = [];
+  var checkedCount = 0;
+  Object.keys(manifest.packages).forEach(function (pkgName) {
+    var pkg = manifest.packages[pkgName];
+    var files = (pkg && pkg.files) || {};
+    var hashes = (pkg && pkg.hashes) || {};
+    Object.keys(files).forEach(function (kind) {
+      var rel = files[kind];
+      var expected = hashes[kind];
+      if (typeof rel !== "string" || typeof expected !== "string") return;
+      var abs = path.isAbsolute(rel) ? rel : path.join(process.cwd(), rel);
+      var actual;
+      try {
+        var bytes = fs.readFileSync(abs);
+        actual = "sha256:" + require("node:crypto")
+          .createHash("sha256").update(bytes).digest("hex");
+      } catch (_e) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: "<read-failed>" });
+        return;
+      }
+      checkedCount += 1;
+      if (actual !== expected) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: actual });
+      }
+    });
+  });
+  var ok = mismatches.length === 0;
+  try {
+    audit().safeEmit({
+      action: ok ? "vendor.integrity.verified" : "vendor.integrity.tampered",
+      outcome: ok ? "success" : "failure",
+      metadata: { checkedCount: checkedCount, mismatchCount: mismatches.length },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return { ok: ok, checkedCount: checkedCount, mismatches: mismatches };
+}
+
 module.exports = {
-  create:            create,
-  ConfigDriftError:  ConfigDriftError,
+  create:                  create,
+  verifyVendorIntegrity:   verifyVendorIntegrity,
+  ConfigDriftError:        ConfigDriftError,
   // Test-only export for hashing — operators don't need this directly.
-  _hashSnapshot:     _hashSnapshot,
-  _stableStringify:  _stableStringify,
+  _hashSnapshot:           _hashSnapshot,
+  _stableStringify:        _stableStringify,
 };

package/lib/network.js

@@ -7,6 +7,7 @@ var proxy    = require("./network-proxy");
 var trust    = require("./network-tls");
 var heartbeat = require("./network-heartbeat");
 var smtpPolicy = require("./network-smtp-policy");
+var ssrfGuard  = require("./ssrf-guard");
 
 var validateOpts = require("./validate-opts");
 var lazyRequire = require("./lazy-require");
@@ -226,6 +227,7 @@ module.exports = {
     dane:      smtpPolicy.dane,
     tlsRpt:    smtpPolicy.tlsRpt,
   },
+  allowlist:  { create: ssrfGuard.createAllowlist },
   socket: {
     setDefaultNoDelay:   _setSocketNoDelay,
     setDefaultKeepAlive: _setSocketKeepAlive,

package/lib/ssrf-guard.js

@@ -403,10 +403,65 @@ async function checkUrl(url, opts) {
   return { url: parsed, ips: ips };
 }
 
+// b.network.allowlist — contextual per-call egress allowlist composing
+// on ssrfGuard. Operators describe an allowed CIDR set + denylist;
+// the resulting `assert(url)` either resolves to the validated IP set
+// or throws SsrfError. Distinct from `ssrfGuard.checkUrl` (which uses
+// the framework's hard-coded private/cloud-metadata ban list) — this
+// is for cases where the operator's deployment has SPECIFIC outbound
+// targets and everything else should be refused.
+//
+//   var egress = b.network.allowlist.create({
+//     allow: ["api.partner.example.com", "192.0.2.0/24"],
+//     deny:  ["api.partner.example.com/admin"],
+//   });
+//   await egress.assert("https://api.partner.example.com/v1/x");
+function createAllowlist(opts) {
+  opts = opts || {};
+  var allowList = Array.isArray(opts.allow) ? opts.allow.slice() : [];
+  var denyList  = Array.isArray(opts.deny)  ? opts.deny.slice()  : [];
+  if (allowList.length === 0) {
+    throw new SsrfError(
+      "network.allowlist.create requires at least one entry in `allow`",
+      "ssrf-guard/empty-allowlist", {});
+  }
+  function _matches(list, hostOrIp) {
+    for (var i = 0; i < list.length; i++) {
+      var entry = list[i];
+      if (entry === hostOrIp) return true;
+      if (entry.indexOf("/") !== -1) {
+        try { if (cidrContains(entry, hostOrIp)) return true; } catch (_e) { /* ignore */ }
+      }
+    }
+    return false;
+  }
+  async function assertUrl(url) {
+    var parsed;
+    try { parsed = new URL(url); }                                                 // allow:raw-new-url — local URL parse for hostname extraction
+    catch (_e) {
+      throw new SsrfError("invalid URL", "ssrf-guard/bad-url", { url: url });
+    }
+    var host = parsed.hostname;
+    if (!_matches(allowList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' not on the operator allowlist",
+        "ssrf-guard/not-on-allowlist", { url: url, host: host });
+    }
+    if (_matches(denyList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' on the operator denylist",
+        "ssrf-guard/on-denylist", { url: url, host: host });
+    }
+    return checkUrl(parsed.toString(), { allowInternal: true });
+  }
+  return { assert: assertUrl };
+}
+
 module.exports = {
   classify:        classify,
   cidrContains:    cidrContains,
   checkUrl:        checkUrl,
+  createAllowlist: createAllowlist,
   isPrivate:       function (ip) { return classify(ip) === "private"; },
   isLoopback:      function (ip) { return classify(ip) === "loopback"; },
   isLinkLocal:     function (ip) { return classify(ip) === "link-local"; },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.38",
+  "version": "0.8.39",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:33e4b58d-3cab-4ba0-b54a-4fd4a9b62e38",
+  "serialNumber": "urn:uuid:319bfdfd-c9b3-4f86-a42e-c3441466295e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T16:03:53.948Z",
+    "timestamp": "2026-05-07T16:17:54.954Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.38",
+      "bom-ref": "@blamejs/core@0.8.39",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.38",
+      "version": "0.8.39",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.38",
+      "purl": "pkg:npm/%40blamejs/core@0.8.39",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.38",
+      "ref": "@blamejs/core@0.8.39",
       "dependsOn": []
     }
   ]